deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix all rbac related topics

Browse Source
This commit is contained in:
Joey Caparas
2018-08-17 15:27:37 -07:00
parent 13c3a0ed9b
commit d1013e6a1e
8 changed files with 243 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/TOC.md
View File

@ -314,8 +314,11 @@
###### [Configure advanced features](windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md)
##### Permissions
###### [Use basic permissions to access the portal](windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md)
###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
###### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
##### APIs
###### [Enable Threat intel](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)

63
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.date: 09/13/2018
---
# Assign user access to Windows Defender Security Center
@ -21,8 +21,6 @@ ms.date: 04/24/2018
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Windows Defender ATP supports two ways to manage permissions:
@ -37,67 +35,10 @@ Windows Defender ATP supports two ways to manage permissions:
>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
>- After switching to RBAC, you will not be able to switch back to using basic permissions management.
## Use basic permissions management
Refer to the instructions below to use basic permissions management. You can use either Azure PowerShell or the Azure Portal.
For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md).
### Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
#### Before you begin
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
**Read only access** <br>
Users with read only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read only** access, assign users to the security reader role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
### Assign user access using the Azure portal
1. Go to the [Azure portal](https://portal.azure.com).
2. Select **Azure Active Directory**.
3. Select **Manage** > **Users and groups**.
4. Select **Manage** > **All users**.
5. Search or select the user you want to assign the role to.
6. Select **Manage** > **Directory role**.
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
## Related topic
- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)

84
windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Use basic permissions to access Windows Defender Security Center
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/13/2018
---
# Use basic permissions to access the portal
**Applies to:**
- Azure Active Directory
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
Refer to the instructions below to use basic permissions management.
You can use either of the following:
- Azure PowerShell
- Azure Portal
For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md).
## Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
### Before you begin
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the <20>Security Administrator<6F> or <20>Global Administrator<6F> AAD built-in roles.
**Read only access** <br>
Users with read only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the <20>Security Reader<65> AAD built-in role.
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read only** access, assign users to the security reader role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress <20>reader@Contoso.onmicrosoft.com<6F>
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
## Assign user access using the Azure portal
1. Go to the [Azure portal](https://portal.azure.com).
2. Select **Azure Active Directory**.
3. Select **Manage** > **Users and groups**.
4. Select **Manage** > **All users**.
5. Search or select the user you want to assign the role to.
6. Select **Manage** > **Directory role**.
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)

63
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -154,70 +154,7 @@ Expand an event to view associated processes related to the event. Click on the
The details pane enriches the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
## Add machine tags
You can add tags on machines during an investigation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
- By setting a registry key value
- By using the portal
### Add machine tags by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
>[!NOTE]
> Applicable only on the following machines:
>- Windows 10, version 1709 or later
>- Windows Server, version 1803 or later
>- Windows Server 2016
>- Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
>[!NOTE]
>The device tag is part of the machine information report thats generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
### Add machine tags using the portal
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
## Use machine groups in an investigation
Machine group affiliation can represent geographic location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
## Related topics

2
windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
View File

@ -39,7 +39,7 @@ As part of the process of creating a machine group, you'll:
>A machine group is accessible to all users if you dont assign any Azure AD groups to it.
## Add a machine group
## Create a machine group
1. In the navigation pane, select **Settings** > **Machine groups**.

81
windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Create and manage machine tags
description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident
keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/13/2018
---
# Create and manage machine tags
Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
- By setting a registry key value
- By using the portal
## Add machine tags<67>by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
>[!NOTE]
> Applicable only on the following machines:
>- Windows 10, version 1709 or later
>- Windows Server, version 1803 or later
>- Windows Server 2016
>- Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
>[!NOTE]
>The device tag is part of the machine information report that<61>s generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
## Add machine tags using the portal
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)

48
windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
View File

@ -42,9 +42,9 @@ Windows Defender ATP RBAC is designed to support your tier- or role-based model
- Create custom roles and control what Windows Defender ATP capabilities they can access with granularity.
- **Control who can see information on specific machine group or groups**
- [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group.
- [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure Active Directory (Azure AD) user groups assigned to the roles.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.
### Before you begin
@ -67,48 +67,10 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
>
> After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
## Create roles and assign the role to a group
To properly implement RBAC you'll need to take the following steps:
- Create roles and assign them to an Azure AD group
-
1. In the navigation pane, select **Settings > Role based access control > Roles**.
2. Click **Add role**.
3. Enter the role name, description, and permissions youd like to assign to the role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that youd like to add to this role.
6. Click **Save and close**.
7. Apply the configuration settings.
## Edit roles
1. Select the role you'd like to edit.
2. Click **Edit**.
3. Modify the details or the groups that are assigned to the role.
4. Click **Save and close**.
## Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select **Delete role**.
## Related topic
- [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md)

66
windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Create and manage roles for role-based access control
description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation
keywords: user roles, roles, access rbac
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/13/2018
---
# Create and manage roles for role-based access control
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
1. In the navigation pane, select **Settings > Role based access control > Roles**.
2. Click **Add role**.
3. Enter the role name, description, and permissions you<6F>d like to assign to the role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you<6F>d like to add to this role.
6. Click **Save and close**.
7. Apply the configuration settings.
## Edit roles
1. Select the role you'd like to edit.
2. Click **Edit**.
3. Modify the details or the groups that are assigned to the role.
4. Click **Save and close**.
## Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select **Delete role**.